Categories: FacebookSecurity newsTechnology

Hackers Could Have Exploited Facebook Accounts Via Oculus App

Vulnerabilities allowed hacking in Facebook using Oculus integration

Facebook’s integration with the Oculus virtual reality headset could have opened doors for malicious attackers to hijack accounts by exploiting the latter had the social networking giant not patched the vulnerabilities.

Oculus, known best for their Oculus Rift virtual reality (VR) headset, was founded in 2012. In March 2014, Facebook announced that they would acquire Oculus VR, which was later completed in July 2014. In August 2014, Facebook included Oculus Rift in its white hat bug bounty program and paid money to researchers for reporting bugs. Since then, several vulnerabilities have been found in Oculus services including a series of flaws that earned a researcher $25,000.

In October 2017, Josip Franjkovic, a web security consultant, decided to examine the Oculus application for Windows, which enables users to connect their Facebook accounts for a more social experience by using both the native Windows Oculus application and browsers.

In his research, Franjkovic demonstrated how an attacker could hijack Facebook accounts by using specially crafted GraphQL queries to connect a victim’s Facebook account to the attacker’s Oculus account and obtain the victim’s access_token, which also has access to Facebook’s GraphQL endpoint. Using specially crafted GraphQL queries, the attacker can take control of the victim’s Facebook account and change the victim’s account’s phone number and then reset the account’s password.

Franjkovic reported the vulnerability to Facebook on October 24 under the company’s bug bounty program for which a temporary fix was done on the same day that involved disabling the facebook_login_sso endpoint. Further, a permanent patch was rolled out by Facebook on October 30.

However, Franjkovic discovered a login CSRF (cross site request forgery) vulnerability a few weeks later that could have been used to exploit bypass Facebook’s patch by redirecting the victim to an Oculus URL of the attacker’s choice.

Franjkovic reported the second flaw to Facebook on November 18 for which a temporary fix was done on the same day by again disabling thefacebook_login_sso endpoint. Three weeks later, a complete patch was rolled out by the company.

“The fix was to implement a CSRF check on the /account_receivable/endpoint, AND add an additional click to confirm the link between Facebook and Oculus accounts,” Franjkovic wrote. “I believe this properly fixes the vulnerability without degrading user experience too much.”

While Franjkovic did not disclose how much bounty amount he earned from Facebook for discovering the vulnerabilities, but the social networking giant did reveal last week (via SecurityWeek) that it had ended up paying $880,000 in bug bounties in 2017 to security researchers.

You can check technical details for the vulnerabilities on Franjkovic’s blog.

Source: SecurityWeek, wccftech

Kavita Iyer

An individual, optimist, homemaker, foodie, a die hard cricket fan and most importantly one who believes in Being Human

Recent Posts

  • Laws and Legalities
  • The Pirate Bay

The Pirate Bay And Other Sites Ordered To Be Blocked By ISP Telia

ISP Telia has been ordered by the court to block The Pirate Bay, Fmovies, Dreamfilm, and other sites Telia, an internet service…

13 hours ago
  • Security news
  • Windows 10

Windows 10 October 2018 Update Build 17763.104 released to Insiders with fixes

Patched Windows 10 October 2018 Update Build 17763.104 Released To Slow And Release Preview Rings Microsoft is currently rolling out…

14 hours ago
  • Guide

DNS_Probe_Finished_No_Internet fix for the chrome browser

Ignoring the fact that you love playing with this dinosaur, having it while browsing the internet can be a huge…

2 days ago
  • List

10 Best Sites To Watch Hindi Movies Online- Free And Legally In 2018

Bollywood often referred to as Hindi movies is the Indian Hindi-language film industry with the highest number of movie releases…

2 days ago
  • Android App
  • News

Winamp to make a comeback as a mobile app in 2019

Winamp reimagined as an audio app for mobile could arrive in 2019 Winamp, the 21-year-old iconic media player, is set…

2 days ago
  • Google
  • Technology

Real-time Google Translate available on all Google Assistant headphones

Real-time translation is coming to all Google Assistant-optimized headphones and Android phones When Google launched the Google Assistant-enabled Pixel Buds…

2 days ago